cbcvebase.
CVE-2023-27638
published 2023-03-22

CVE-2023-27638: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.30%
87.0th percentile
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised tshirtecommerce_design_cart_id GET parameter in order to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This is exploited in the wild in March 2023.

Affected

1 ranges
VendorProductVersion rangeFixed in
tshirtecommercecustom_product_designer

Detection & IOCsextracted from sources · hover to see the quote

url/module/tshirtecommerce/designer?tshirtecommerce_design_cart_id=1%20OR%20SLEEP(8)
path/module/tshirtecommerce/designer
sigma
fofa-query: body="Prestashop" && body="tshirtecommerce"
  • Detect time-based blind SQL injection attempts via the tshirtecommerce_design_cart_id GET parameter; look for payloads containing OR SLEEP() or similar time-delay functions in requests to /module/tshirtecommerce/designer
  • The vulnerability is unauthenticated; any request to the designer endpoint with a manipulated tshirtecommerce_design_cart_id should be treated as suspicious regardless of session state
  • Use a time-based detection threshold: responses to /module/tshirtecommerce/designer with duration >= 8 seconds indicate successful SLEEP() injection
  • Fingerprint vulnerable PrestaShop instances by checking for co-presence of 'prestashop' and 'tshirtecommerce' strings in the HTTP response body before probing the injection endpoint
  • Active exploitation in the wild was observed in March 2023; prioritize detection on PrestaShop instances running tshirtecommerce (Custom Product Designer) version 2.1.4
  • ·The Nuclei template uses a 30-second timeout for the time-based injection request; detection infrastructure must be configured to allow sufficiently long HTTP timeouts or the SLEEP-based probe will be missed
  • ·The template is gated on a two-step flow: the first request must confirm both 'prestashop' and 'tshirtecommerce' in the response body before the injection probe fires; single-step scanners will need to replicate this pre-check

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.